- From: Peter Snyder via WBS Mailer <sysbot+wbs@w3.org>
- Date: Fri, 10 Jan 2025 23:57:02 +0000
- To: public-review-comments@w3.org
- CC: psnyder@brave.com
The following answers have been successfully submitted to 'Call for Review: CSS Working Group Charter' (Advisory Committee) for Brave Software Inc. by Peter Snyder. The reviewer's organization suggests changes to this Charter, and only supports the proposal if the changes are adopted [Formal Objection]. Additional comments about the proposal: Brave is formally objecting to this rechartering because of the WG's unwillingness or inability to address the privacy harms introduced by some of the group's specs. Specifically, Brave is concerned that the group has still not addressed (or made significant progress in presenting a plan or strategy to address) fingerprinting concerns in the CSS Fonts Module series of fonts. Brave, along with other members of PING (now PrivacyWG) and W3 staff, have brought these concerns to the group repeatedly, for over 4 years, but no meaningful progress has been made. These discussions have occurred over several issues, meetings, and mailing list threads, including https://github.com/w3c/csswg-drafts/issues/4055 and https://github.com/w3c/csswg-drafts/issues/4497 to give two examples. Brave will happily remove our FO to the rechartering if the group proposes a plan to address the fingerprinting surface, and to commit to incorporating mitigations for this fingerprinting vulnerability into the group's specs. The WG's refusal to address the identified fingerprinting surface is concerning for at least three reasons. One, the fingerprinting surface is highly identifying for some users. The presence of a rarely-installed font, given a site's user base, can contribute heavily to re-identifying a user in a way contrary to the Web's privacy goals (consider, for example, the [identity](https://www.w3.org/TR/privacy-principles/#identity) principals in the recently [Privacy Principals note](https://www.w3.org/TR/privacy-principles/)). Second, the fingerprinting surface is extremely stable (users don't often install new fonts on their system), meaning that the fingerprinting inputs will be very stable, and so contribute to users being reidentified across contexts against their wishes (e.g., visits to different sites, across storage clear events, across visits to the same site in different profiles). And third, because the fingerprinting surface is being actively targeted and exploited, and has been for years (see, for example, the extremely, popular [fingerprintjs library](https://github.com/fingerprintjs/fingerprintjs/blob/master/src/sources/fonts.ts)). Some of the feedback we've received from (some in) the WG is that such privacy concerns amount to us throwing internationalization concerns "under the bus" (and that, likewise, folks with internationalization concerns are throwing privacy-sensitive users "under the bus"). I think this is insulting and inaccurate framing. If the Web is going to flourish and win over other application platforms, it's not sufficient to pose such concerns in an either/or choice and stop there (or to ignore Web users who need the platform to both protect their privacy AND include top-tier internationalization support). Yet, unfortunately, this is exactly what the WG has done over the 4+ years we've urged them to address this issue. It's possible the correct solution hasn't been proposed yet, but that's a reason to keep working on the problem, not leave it be. As said above, Brave will happily remove our FO to the rechartering if the group commits to, and proposes a plan for, addressing the discussed fingerprinting surface in their specs. The reviewer's organization: - intends to review drafts as they are published and send comments. - intends to develop products based on this work. Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/css-2025/ until 2025-01-10. Regards, The Automatic WBS Mailer
Received on Friday, 10 January 2025 23:57:03 UTC